Snort mailing list archives
Receive only success/questions
From: w <sibertron () sibertron org>
Date: Thu, 6 Sep 2001 21:23:19 -0500 (CDT)
Hi, I built receive only cables based on the following methods: Method 1: http://personal.ie.cuhk.edu.hk/~msng0/sniffing_cable/index.htm Method 2: LAN.......Sniffer 1.-----\..../--.1 2.---\.|....\--.2 3.---+-*-------.3 4.-..|........-.4 5.-..|........-.5 6.---*---------.6 7.-...........-.7 8.-...........-.8 (Found in FAQ, as well as on the list). Hardware: 3Com TP4 10 MB HUB 2 Tooless IDC Keystone Jacks (Frys sucks) 1 150pF capacitor (Frys still sucks) 3 Cat 5 cables Result: I had success with both methods. Method 1, of course, is simpler to build. I did notice that a "few" packets managed to sneak by although the error rate was well over 85%. For the absolutist, Method 2 is probably the way to go. I tested both methods (to a limited extent) with snort, iptraf and ethereal. Question: For Method 2, the 3Com hub I used, placed the connected port in a partitioned/isolated state. This did not seem to effect the ports ability to receive data. I'm wondering if anyone knows whether this will pose any potential problems (ie, spontaneous disconnects for any other devices connected to the same hub...uhhh, if that makes any sense... :-). Thanks, W -- w () sibertron org _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Receive only success/questions w (Sep 06)